Auditing SQL Server User and Role Permissions for Databases

Revision: 62725

at March 8, 2013 01:47 by edwinet

Initial Code

SELECT 
    su.[name] AS 'User',
    CASE sp.[protecttype]
      WHEN 204 THEN 'GRANT w/ GRANT'
      WHEN 205 THEN 'GRANT'
      WHEN 206 THEN 'DENY' END AS 'Permission',
    CASE sp.[action]
      WHEN 26 THEN 'REFERENCES'
      WHEN 193 THEN 'SELECT'
      WHEN 195 THEN 'INSERT'
      WHEN 196 THEN 'DELETE'
      WHEN 197 THEN 'UPDATE'
      WHEN 224 THEN 'EXECUTE' END AS 'Action',
    so.[name] AS 'Object'
FROM sysprotects AS sp
  INNER JOIN sysusers AS su
    ON sp.[uid] = su.[uid]
  INNER JOIN sysobjects AS so
    ON sp.[id] = so.[id]
WHERE sp.[action] IN (26, 193, 195, 196, 197, 224) 
ORDER BY su.[name], so.[name];

Initial URL

http://www.mssqltips.com/sqlservertip/2132/auditing-sql-server-user-and-role-permissions-for-databases/

Initial Description

The sysprotects system table reports all of the permissions granted or denied in a given database. We'll need to join it with sysusers and sysobjects to get all the information we need. Here's an example query that only pulls information on objects (no CREATE TABLE permissions or anything else at the database level)

Initial Title

Auditing SQL Server User and Role Permissions for Databases

Initial Tags

sql, query, security

Initial Language

SQL

Choose a language for easy browsing: